Appendix C. FIDO Device Onboarding Example Flow
Cette section conserve le texte RFC des SCIM device schema extensions, y compris Device and EndpointApp resource types, BLE, DPP, Ethernet MAB, FDO, Zigbee, endpointAppsExt, JSON Schema, OpenAPI, IANA registrations et security considerations.
Appendix C. FIDO Device Onboarding Example Flow
The following diagrams are included to demonstrate how FDO can be
used. In this first diagram, a device is onboarded not only to the
device owner process but also to the AAA server for initial
onboarding. The voucher contains a device certificate that is used
by the AAA system for authentication.
,------. ,------. ,-------.
|SCIM | |SCIM | |Owner | ,---.
|Client| |Server| |Service| |AAA|
`---+--' `---+--' `---+---' `-+-'
,------------------------------!. | |
|Voucher contains |_\ | |
|an X.509 cert chain | | |
`--------------------------------' | |
|1 POST [FDO(voucher)] | | |
|/HTTP | | |
|--------------------->| | |
| | | |
| |----. | |
| | | 2 Recover X.509 | |
| |<---' cert chain | |
| | from voucher | |
| | | |
| | | |
| |3 Add device(voucher) | |
| |/HTTP | |
| |--------------------->| |
| | | |
| | 4 200 "ok" | |
| |<---------------------| |
| | | |
| | 5 Add identity |
| |------------------------------->|
| | | |
| | 6 200 "ok" |
| |<-------------------------------|
| | | |
| 7 200 "ok" | | |
|<---------------------| | |
| | | |
| | | |
After this flow is complete, the device can then first provisionally
onboard and then later receive a trust anchor through FDO's Transfer
Ownership Protocol 2 (TO2) process. This is shown below.
,-------. ,------.
|Owner | ,---. |Access| ,------.
|Service| |AAA| |Point | |Device|
`---+---' `-+-' `---+--' `---+--'
| | | ,------------------!.
| | | |Device configured |_\
| | | |with well-known |
| | | |RCOI and for trust |
| | | |on first use |
| | | `--------------------'
| | ,---------------!. |
| | |WLAN configured|_\ |
| | |with well-known | |
| | |RCOI | |
| | `-----------------' |
| | | 1 EAP-TLS/EAPOL |
| | |<-----------------|
| | | |
| |2 EAP-TLS/Radius | |
| |<----------------| |
| | | |
| | ,--------------------------!.
| | |Device skips |_\
| | |server authentication |
| | `----------------------------'
| |3 Result=Success | |
| |---------------->| |
| | | |
| ,-----------------------!. |
| |Limited access |_\ |
| |for now | |
| `-------------------------' |
| | |4 Result=Success |
| | |----------------->|
| | | |
| | 5 FDO TO2 | |
|<----------------------------------------------------|
| | | |
,-------------------------------------------------------------!.
|FSIM, Runtime SSID, |_\
|Credentials incl. |
|local trust anchor |
`---------------------------------------------------------------'
| | | 6 dissasociate |
| | |<-----------------|
| | | |
| | |7 EAP-TLS w/ LSC |
| | |<-----------------|
| | | |
| | | |
. . etc . .